I wanted to address both, but realised I was in danger of rambling - so I have decided just to look at Gruber's post.

One thing which annoys me, and which I addressed in my talk to NSConference in April, is this idea that security means something different in the online world than the real world.

No, it doesn't.

If we try to claim that words have different meanings when used about computers then all we end up doing is confusing people. Do any of the keys you lock your doors with have a piece you give away freely to other people? No? Then why do we have public keys in asymmetric encryption?

Anyway, in the Daring Fireball post, we see "Security is about technical measures, like the strength of the locks on your doors and windows."

Those are security measures. Security is being (or feeling) free from threat, both in the real world and online. I saw a definition of security as a state where "things which should happen, do, and things which shouldn't happen, don't" and to me that seems like a good meaning. Notice too that it isn't a technosphere-only definition.

So why has Gruber taken a narrower view?

Maybe he wanted to avoid the "Macs are more secure" canard by giving "the likelihood that you'll
actually suffer from some sort of attack" another name; safety. So it doesn't matter whether Macs are more secure or not, says he, they're more safe and that's what people are after.

Well, it isn't; it's (along with the cost of such an attack) risk. Safety is the state of not suffering or causing harm.

But even ignoring the lexical games, risks are like stock prices - previous performance isn't always a good indicator of future behaviour. When CISOs write security policies they consider (or at least they should consider) what looks likely to happen - or expensive if it were to happen, or both - in the future. Relying too much on previous personal experiences is a known effect, though. It's a form of the availability heuristic.

Just as people who've never been burgled tend to consider the likelihood of being burgled in the future to be lower than those who have, could it be that the Mac users who've never knowingly experienced a malware attack have an artificially low opinion of the future likelihood?

What we really know is that Macs have a lower historical frequency of being targets of malware attacks.

Risks are also like shares in that there are many of them, and they all perform differently.

About the author

Graham Lee's business card says he's a "smartphone security boffin", so it must be true. He owns Fuzzy Aliens Limited, a security consultancy service for mobile app developers, has written a book on Mac application security and is often found speaking at iPhone developer conferences, helping developers get security right and taking the burden off the users. Graham's writes a blog about secure Mac programming. Follow him on Twitter at @iamleeg.